Unpatched IE Zero-Day Exploits Prove Extensive

Researchers at several security providers have shown that both the extent and the duration of exploits taking advantage of a recently disclosed Internet Explorer zero-day vulnerability are far greater than previously known.

Microsoft recently published an emergency security advisory in response to reports of a zero-day vulnerability found in the company’s Internet Explorer browser that could allow for remote code execution by attackers.

“The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated,” Microsoft’s advisory stated.

Early last week, researchers confirmed that the vulnerability was exploited in water-hole style attacks dubbed “Operation DeputyDog” which targeted Japanese organizations since at least mid-August, and the attackers may be the same as those who compromised security vendor Bit9 earlier this year.

Later in the week, a separate group of researchers discovered that the exploit was also being used to serve up malware by way of compromised website belonging to Taiwan’s Government e-Procurement System.

A third set of researchers confirmed the Taiwanese compromise, and pushed the IE zeroday exploit timeline back to at least July 1, 2013.

“These C&C communications predate the widely-reported first use of this attack infrastructure by more than six weeks, and indicates that the attacks from this threat actor are not just limited to Japan,” the researchers stated.

Microsoft is planning to release a patch for the vulnerability, and in the meantime recommends users “apply the Microsoft Fix it solution, CVE-2013-3893 MSHTML Shim Workaround, that prevents exploitation of this issue. See Microsoft Knowledge Base Article 2887505 to use the automated Microsoft Fix it solution to enable or disable this workaround.”